b'                                                       AUDIT\n\n\n\n\n               OFFICE OF\n               INSPECTOR GENERAL\n               U.S.DEPARTMENT OF THE INTERIOR\n\n\n\n\n SELECTED INTERNAL CONTROLS IN\n THE OFFICE OF SPECIAL TRUSTEE\n FORAMERICAN INDIANS\n\n\n\n\nReport No.: ZZ-EV-OST-000 1-20 12               December 20 I I\n\x0c              OFFICE OF\n              INSPECTOR GENERAL\n              U.S.DEPARTMENT OF THE INTERIOR\n\n                                                                              DEC 0 8 2011\n\nMemorandum\n\nTo:            David J. Hayes\n               Deputy Secretary oft\n\nFrom:          Mary L. Kendall71 ~L...-~\n               Acting Inspector Gene\n\nSubject:       Audit of Selected Internal Controls in the Office of Special Trustee for American\n               Indians\n               Report No. ZZ-EV-OST-0001-2012\n\n        This memorandum transmits our report detailing the results of our audit of six internal\ncontrol weaknesses that had been asserted to exist in the Office of Trust Fund Investments\n(OTFI), a component of the Office of Special Trustee for American Indians (OST). The principal\ndeputy special trustee (PDST) made these assertions in his draft memorandum titled "FY 2011\nAnnual Assurance Statement on Internal Controls."\n\n        The PDST asserted that OST had insufficient internal controls to ensure that only\nauthorized personnel initiated and approved investment transactions. He also stated that OST did\nnot have sufficient internal controls because the office lacks an automated order management\nsystem. The fact that the same investment contractor provided two distinct services was also a\nconcern for the PDST. Finally, the PDST asserted that three transactions from FY 2010 did not\nidentify the rating of the securities that had been traded, which did not comply with OST policies\nin place at that time.\n\n         When we examined the related internal controls, however, we could not substantiate the\nPDST\' s assertions. We found that the internal controls for initiating and approving transactions\nwere adequate. The internal controls the PDST described as being insufficient without an order\nmanagement system were also sufficient. We could not confirm any weaknesses resulting from\nthe same contractor using two systems to perform two separate functions, and we could not\nsubstantiate the assertion about the three securities because the securities actually had AAA\nratings.\n\n      If you have any questions about this report, please do not hesitate to contact me at 202-\n208-5745.\n\n\ncc:     DOl Chief of Staff\n        Assistant Secretary for Policy, Management and Budget\n        Deputy Assistant Secretary for Budget, Finance, Performance, and Acquisitions\n\n\n\n                               Office of Inspector General I Washington, DC\n\x0cTable of Contents\nResults in Brief ....................................................................................................... 1\n\n\nIntroduction ............................................................................................................. 2\n\n   Objective ............................................................................................................. 2\n\n   Background ......................................................................................................... 2\n\n\nFindings................................................................................................................... 3\n\n   Assertions 1 and 2: Investment Transactions ...................................................... 3\n\n   Assertions 3 and 4: Order Management System ................................................. 4\n\n   Assertion 5: One Service Provider ...................................................................... 5\n\n   Assertion 6: Unrated Securities ........................................................................... 5\n\n\nConclusion .............................................................................................................. 6\n\n\nAppendix 1: Scope and Methodology..................................................................... 7\n\n   Scope ................................................................................................................... 7\n\n   Methodology ....................................................................................................... 7\n\n\x0cResults in Brief\n\nAt the request of the U.S. Department of the Interior, we evaluated six internal\ncontrol weaknesses that had been asserted to exist in the Office of Trust Fund\nInvestments (OTFI), a component of the Office of Special Trustee for American\nIndians (OST). The weaknesses were asserted by the principal deputy special\ntrustee (PDST) in his draft memorandum titled \xe2\x80\x9cFY 2011 Annual Assurance\nStatement on Internal Controls.\xe2\x80\x9d The PDST\xe2\x80\x99s feeling that internal controls over\nOTFI were insufficient was based on two investment errors that occurred during\nfiscal year (FY) 2011. Although both mistakes were caught, the PDST qualified\nthe draft assurance statement due to his concerns about the controls.\n\nThe PDST asserted that OST had insufficient internal controls to ensure that only\nauthorized personnel initiated and approved investment transactions (assertions 1\nand 2). He also stated that OST did not have sufficient internal controls because\nthe office lacks an automated order management system (assertions 3 and 4). The\nfact that the same investment contractor provided two distinct services was also a\nconcern for the PDST (assertion 5). Finally, the PDST asserted that three\ntransactions from FY 2010 did not identify the rating of the securities that had\nbeen traded, which did not comply with OST policies in place at that time\n(assertion 6).\n\nWhen we examined the related internal controls, however, we were unable to\nvalidate the PDST\xe2\x80\x99s assertions. We found that the internal controls for initiating\nand approving transactions were adequate. The internal controls the PDST\ndescribed as being insufficient without an order management system were also\nsufficient. We could not confirm any weaknesses resulting from the same\ncontractor using two systems to perform two separate functions, and we could not\nsubstantiate the assertion about the three securities because the securities actually\nhad AAA ratings.\n\n\n\n\n                                                                                    1\n\x0cIntroduction\n\nObjective\nOur objective was to assess the validity of six internal control weaknesses\nasserted to exist in the Office of Trust Funds Investments (OTFI). These\nweaknesses were asserted by the principal deputy special trustee (PDST) in the\nOffice of Special Trustee for American Indians (OST) draft memorandum titled,\n\xe2\x80\x9cFY 2011 Annual Assurance Statement on Internal Controls.\xe2\x80\x9d\n\nBackground\nEstablished by the American Indian Trust Fund Management Reform Act of 1994\n(Public Law 103-412), OST was created to improve the accountability and\nmanagement of Indian funds held in trust by the Federal Government. As trustee,\nthe Department of the Interior (DOI) is responsible for managing both tribal trust\nfunds and Individual Indian Money (IIM) accounts, as well as resources that\ngenerate income for those accounts. Each year, OTFI enters into approximately\n170 trades involving IIM and tribal accounts.\n\nIn order to meet the requirements of Office of Management and Budget Circular\nA-123, DOI requires OST to issue an annual assurance letter on internal controls.\nThis letter provides assurance to DOI that OST\xe2\x80\x99s internal controls\xe2\x80\x94operations,\npolicies, and procedures that managers use to achieve program goals and\nsafeguard program integrity\xe2\x80\x94are in place and sufficient. Internal controls are\ndesigned to provide reasonable (but not absolute) assurance that programs achieve\nthe objectives of effective and efficient operations, reliable financial reporting,\nand compliance with applicable laws and regulations. Weaknesses or deficiencies\nin internal controls compromise program effectiveness and can lead to fraud,\nwaste, and mismanagement.\n\nThe PDST felt that the internal controls over OTFI were insufficient due to two\nincidents that occurred in fiscal year (FY) 2011. In the first incident, OTFI\nerroneously purchased an unrated security. In the second, the trust services system\ncontractor, SEI Investments, Inc., erroneously posted a full call that should have\nbeen a partial call. 1 Although both errors were caught, in October 2011 the PDST\nprovided the Office of Policy Management and Budget a \xe2\x80\x9cqualified\xe2\x80\x9d draft\nassurance letter based on his concerns over the internal controls.\n\nBecause the effectiveness of these internal controls has a direct impact on the\nscope of work for DOI\xe2\x80\x99s annual financial statement audits, DOI asked us on\nOctober 20 to determine the validity of the PDST\xe2\x80\x99s assertions related to six OTFI\ncontrols.\n\n1\n  Under certain circumstances, a bond issuer can call, or redeem, a bond before it matures. The issuer can\nredeem either the full value of the bond, which is known as a full call, or a percentage of the value, or partial\ncall.\n\n\n                                                                                                                2\n\x0cFindings\n\nAt DOI\xe2\x80\x99s request, we evaluated six of the PDST\xe2\x80\x99s assertions related to the\nsufficiency of OTFI internal controls. We could not substantiate his assertions.\n\nAssertions 1 and 2: Investment Transactions\nThe PDST asserted that OST had insufficient internal controls to ensure only\nauthorized personnel initiated and approved investment transactions. 2 The PDST\ngave two reasons for stating the controls were insufficient: (1) OTFI investment\nofficers phone the brokers/dealers directly to place an investment order instead of\nplacing orders through an automated order management system (OMS), and\n(2) there is no automated approval of transactions.\n\nWhile these conditions are true, OST has compensating controls in place to\nprevent unauthorized personnel from initiating or approving transactions. Based\non our interviews with key personnel, document reviews, and an examination of\n30 investment transactions completed in FY 2011, we determined that the internal\ncontrols for initiating and approving investment transactions were adequate. In\nparticular, we found that\xe2\x80\x94\n\n     \xe2\x80\xa2\t The OTFI investment officer must use an authorized broker/dealer from\n        OST\xe2\x80\x99s official list, which is reviewed and updated annually. This control\n        helps ensure brokers/dealers are familiar with the investment officers and\n        thus prevent an unauthorized person from initiating an investment.\n\n     \xe2\x80\xa2\t The approved brokers/dealers also have a letter listing the authorized\n        OTFI investment officers who may initiate transactions. This control helps\n        prevent unauthorized individuals from initiating an investment. Moreover,\n        OST notifies the brokers/dealers that the investment officers can only\n        purchase \xe2\x80\x9csecurities that are issued or guaranteed by the U.S. Government\n        and its agencies or instrumentalities.\xe2\x80\x9d As a result, this control should keep\n        even authorized OTFI investment officers from purchasing an\n        inappropriate security.\n\n     \xe2\x80\xa2\t All investment transactions must be entered in the investment module of\n        OST\xe2\x80\x99s Trust Funds Accounting System (TFAS) for finalization. Until the\n        transaction is entered in TFAS, OST has not actually bought or sold the\n        investment. Only the five OTFI employees have access to the investment\n        module. This control ensures that only individuals authorized by OST to\n        initiate an investment can obligate OST and finalize a transaction.\n\n\n2\n  Assertion 1 stated: \xe2\x80\x9c\xe2\x80\xa6Investments had insufficient internal controls to insure that only authorized \n\npersonnel initiated investment transactions.\xe2\x80\x9d\n\nAssertion 2 stated: \xe2\x80\x9c\xe2\x80\xa6Investments had insufficient internal controls to insure that only authorized personnel\n\napproved investment transactions.\xe2\x80\x9d\n\n\n\n                                                                                                             3\n\x0c     \xe2\x80\xa2\t SEI Investments automatically compares TFAS and broker/dealer entries\n        against each other to make sure all the details match. If SEI identifies a\n        discrepancy, it will hold the deal and research the matter further. All\n        discrepancies must be corrected before the transaction can be completed.\n        This control prevents a single individual from being able to initiate a\n        transaction.\n\n     \xe2\x80\xa2\t Since July, the director manually reviews transactions daily. Settlements\n        occur at least 1 day after the transaction, giving the director time to cancel\n        the transaction if he identifies a problem during his review. In the 30\n        sample transactions we examined, an average of 14 days elapsed from\n        agreement to settlement. This control helps ensure that only authorized\n        transactions are confirmed.\n\nAlthough these internal controls are currently sufficient, OST could strengthen its\napproval controls by enabling an existing feature in TFAS that would require an\nautomated approval to complete an investment transaction. In August 2011, the\nassociate PDST requested this feature be enabled, but she was overruled by the\nPDST.\n\nAssertions 3 and 4: Order Management System\nThe PDST asserted that OST had insufficient internal controls because it lacked\nan OMS. 3 An OMS, however, is not an internal control in and of itself; it is a tool\nfor buying and selling investments. Therefore, the lack of an OMS is not an\ninternal control weakness.\n\nBased on a closer review of the PDST\xe2\x80\x99s assertions, we determined the underlying\ninternal controls he described as being insufficient without an OMS were actually\nin place:\n\n     \xe2\x80\xa2\t Compliance. A compliance check reviews the investment transaction\n        against a set of standards to ensure the transaction meets those standards.\n        For example, a compliance check may validate that the security in the\n        transaction has the required rating. A separate, automated compliance\n        check is not necessary because the director of OTFI manually reviews\n        transactions for compliance with policy.\n\n\n3\n  Assertion 3 stated: \xe2\x80\x9c\xe2\x80\xa6Investments had insufficient internal controls to insure that only authorized\npersonnel initiate, approve and execute transactions independently with the oversight of a compliance\nfunction using an order management system or other system that provides for the ability to perform real time\naudits for trading approvals, third party price comparison to validate orders, compliance with all applicable\npolicies and laws and the safeguarding of assets and investment transaction are conducted by law by an\nindividual dispassionate individual from a separate reporting authority from the portfolio manager and\nsupervisor.\xe2\x80\x9d\nAssertion 4 stated: \xe2\x80\x9c\xe2\x80\xa6Investments had insufficient internal controls since an order management system, trust\nand custody and accounting systems fails to provide through put processing of transactions, fails to provide\nadequate separation of duties, fails to provide real time audit information that illustrates compliance with all\napplicable laws and policies and controls to initiate and complete transactions.\xe2\x80\x9d\n\n\n                                                                                                              4\n\x0c     \xe2\x80\xa2\t Audit Logging. Audit logging refers to a computer system logging all\n        activity on the system so that a third party (such as an auditor) can audit\n        the log as the activity happens to ensure compliance with policies. TFAS\n        already does this.\n\n     \xe2\x80\xa2\t Third-Party Price Comparison. A third-party price comparison is a\n        comparison of the actual purchase or sale price against prices available\n        from other brokers/dealers. The policy in effect during FY 2011 required\n        OFTI investment officers to obtain three bids for each security purchase or\n        sale; therefore, a price comparison control is already in place.\n\nAssertion 5: One Service Provider\nThe PDST asserted that OST had insufficient internal controls because SEI\nprovided both custody and accounting services. 4 This means that the custody\nservice provider\xe2\x80\x99s records cannot be reconciled to an accounting system\nprovider\xe2\x80\x99s record. 5 The use of one provider for both custody and accounting\nservices, however, is not an internal control weakness in and of itself.\n\nSEI uses two separate systems, one for custody of assets and the other for\naccounting. Custody is maintained by a subsidiary of SEI, while accounting\nrecords are maintained by SEI. In September 2011, Pricewaterhouse Coopers LLP\ncompleted a Statement on Standard for Attestation Engagements (SSAE) 16\nreview on both systems. The SSAE 16 review compared the internal controls of\nthe two systems against SEI management descriptions of the systems\xe2\x80\x99 design and\ncontrol objectives during a specified period. The review did not identify any\ndeficiencies with the systems.\n\nAssertion 6: Unrated Securities\nThe PDST asserted that OST had insufficient internal controls because three\ntransactions from FY 2010 did not identify the rating of the securities being\ntraded. 6 This assertion is misleading for two reasons. First, OST\xe2\x80\x99s investment\npolicy required only that securities be rated AA or better, not that the rating be\nspecifically identified. Second, the wording of the assertion implies that these\nthree transactions were unrated. All three transactions, however, were Fannie Mae\nsecurities and all Fannie Mae securities have AA+ Standards and Poor ratings.\nTherefore, we could not substantiate this assertion.\n\n\n\n4\n  Assertion 5 states: \xe2\x80\x9c\xe2\x80\xa6Trust Services fails to utilize a trust and custody service provider to provide,\ncustody, asset servicing and safekeeping of assets. Currently Trust Services utilizes SEI Investments Trust\n3000 product as a custodian that does not provide for Trustee Services to maintain a separate record of assets\nto reconcile the OST\xe2\x80\x99s transactions.\xe2\x80\x9d\n5\n  A custody provider maintains physical custody of an asset, either in an electronic format or as a hard copy\nasset. In OST\xe2\x80\x99s case, the asset would be the security purchased.\n6\n  Assertion 6 states: \xe2\x80\x9cInvestments had identified a weakness on the Statement of Assurance on Internal\nControls over Financial Reporting as of 6/30/2011 because an unrated security was purchased. During an\nOTRA review of 18 additional transactions, 3 transactions did not identify the ratings for the securities as\nrequired by OST investment policies.\xe2\x80\x9d\n\n\n                                                                                                             5\n\x0cConclusion\n\nThe PDST made multiple assertions concerning the effectiveness of the internal\ncontrols used by OTFI to prevent or detect investment issues. Based on the\nreasons we outline in this report, we could not substantiate his assertions.\n\n\n\n\n                                                                                 6\n\x0cAppendix 1: Scope and Methodology\n\nScope\nOur scope was limited to the six assertions in the annual assurance statement\nrelated to internal controls in effect during FY 2011. Our audit was not intended\nto provide an opinion on OTFI\'s internal controls or the accuracy of their financial\nrecords. In addition, our audit was limited to the assertions in the annual\nassurance statement related to internal controls over investments at OTFI, and we\nexpress no conclusions or opinions regarding any of the other assertions in the\nmemorandum.\n\nWe conducted this audit in accordance with generally accepted Government\nauditing standards. Those standards require that we plan and perform audits to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective.\n\nMethodology\nWe summarized the assertions in the draft \xe2\x80\x9cAnnual Assurance Statement on\nInternal Controls\xe2\x80\x9d for readability. We have, however, included the exact text of\neach assertion in a footnote for accuracy.\n\nIn order to achieve our audit objective, we\xe2\x80\x94\n\n   \xe2\x80\xa2\t Interviewed appropriate OST personnel at all levels of the organization;\n   \xe2\x80\xa2\t Interviewed appropriate NBC personnel responsible for contracting for\n      OST goods and services;\n   \xe2\x80\xa2\t Interviewed appropriate OCIO personnel responsible for completing the\n      TFAS iStat review;\n   \xe2\x80\xa2\t Identified and reviewed laws, regulations, policies and procedures related\n      to OST and its investment process, including policies in place at SEI, an\n      OST contractor;\n   \xe2\x80\xa2\t Identified and reviewed reports related to OST controls, including the\n      system security plan for TFAS, draft iStat for TFAS, Statement of\n      Auditing Standards 70 review of SEI, and SSAE 16 review for SEI;\n   \xe2\x80\xa2\t Gained an understanding of investments and the investment process;\n   \xe2\x80\xa2\t Reviewed the Office of Trust Review and Audit (OTRA) final report,\n      \xe2\x80\x9cAudit of Internal Controls in the Office of Trust Funds Investments\n      (OTFI),\xe2\x80\x9d dated November 1, 2011, as well as 24 supporting work papers;\n\n\n\n\n                                                                                   7\n\x0c\xe2\x80\xa2\t Selected and reviewed a judgmental sample of 30 investment transactions\n   completed in FY 2011 and validated compliance with policies and\n   procedures;\n\xe2\x80\xa2\t Selected and reviewed a judgmental sample of 30 system controls in\n   TFAS and validated they were operational;\n\xe2\x80\xa2\t Selected and reviewed a judgmental sample of two monthly statements of\n   Treasury transactions and validated they matched supporting\n   documentation;\n\xe2\x80\xa2\t Selected and reviewed 12 daily cash reconciliations and validated all\n   differences were identified and corrected;\n\xe2\x80\xa2\t Selected and reviewed 23 daily investment exception monitoring reports\n   and validated the par value of securities agreed with the value of the\n   securities held by SEI (the security custodian); and\n\xe2\x80\xa2\t Conducted other work that we considered necessary to answer the\n   objective.\n\n\n\n\n                                                                            8\n\x0c                                  \xc2\xa0\n\n\n            Report Fraud, Waste,                                    \xc2\xa0\n            and Mismanagement\n                                     \xc2\xa0\n               \xc2\xa0 Fraud, waste, and mismanagement in\n                 government concern  \xc2\xa0 everyone: Office\n               of Inspector General staff, Departmental\n                employees, and the general public. We\n                   actively solicit allegations of any\n                        \xc2\xa0 and wasteful practices, fraud,\n               inefficient\n                    and mismanagement related to\n             \xc2\xa0\n                Departmental or Insular Area programs\n                                                       \xc2\xa0\n                    and operations. \xc2\xa0You can report\n                   allegations to us \xc2\xa0in several ways.\n                                      \xc2\xa0\n                                  \xc2\xa0\n                                  \xc2\xa0\n     By Mail:\t\xc2\xa0        U.S. Department of the Interior \xc2\xa0\n     \xc2\xa0        \xc2\xa0\xc2\xa0       Office of Inspector General \xc2\xa0\n     \xc2\xa0        \xc2\xa0\xc2\xa0       Mail Stop 4428 MIB \xc2\xa0\n     \xc2\xa0        \xc2\xa0\xc2\xa0       1849 C Street, NW \xc2\xa0\n     \xc2\xa0        \xc2\xa0\xc2\xa0       Washington, D.C. 20240 \xc2\xa0\n     \xc2\xa0\n             \xc2\xa0\xc2\xa0\n     By Phone:\t        24-Hour Toll Free\xc2\xa0   \xc2\xa0                        \xc2\xa0\xc2\xa0\n                                                           800-424-5081\n     \xc2\xa0        \xc2\xa0\xc2\xa0       Washington Metro Area\xc2\xa0              202-208-5300\n                                                                     \xc2\xa0\xc2\xa0\n     \xc2\xa0\n           \xc2\xa0\xc2\xa0 \xc2\xa0\n     By Fax:\t          703-487-5402\n     \xc2\xa0\n     By Internet:\t     www.doioig.gov\n\xc2\xa0\xc2\xa0\n                                                                          \xc2\xa0\n\x0c'